Between March and June 2025, Proofpoint researchers tracked three distinct China‑aligned threat actors launching spear‑phishing campaigns against Taiwanese semiconductor firms, design houses, service providers, and financial analysts. These coordinated attacks underscore China’s intensified cyber‑espionage efforts aimed at overcoming U.S. and Taiwanese export controls and pose broader implications for global cybersecurity services and supply‑chain security in MEA markets.
Proofpoint’s “Phish and Chips” report, released 16 July 2025, details how state‑aligned hackers—tracked as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp—targeted the Taiwanese semiconductor ecosystem from March–June 2025. Each group executed employment-themed phishing or credential-stealing campaigns tied to espionage efforts.
Stepped-Up Espionage
Proofpoint attributes this intensification to China’s strategic drive towards semiconductor self-reliance amplified after new U.S. and Taiwanese export restrictions were imposed earlier in 2025.
Campaigns & Technical Tactics
UNK_FistBump: Job-Lure Spear‑Phishing
From May–June 2025, UNK_FistBump used recruiter-themed emails—sent from compromised Taiwanese university addresses—to entice semiconductor firms with resumes. LNK payloads delivered either Cobalt Strike Beacons or the custom Voldemort backdoor via DLL sideloading.
- Chain 1 (Cobalt Strike): RC4-encrypted loader (jli.dll) sideloaded using javaw.exe to communicate with C2 at 166.88.61[.]35.
- Chain 2 (Voldemort): Google Sheets used for exfil, mimicking APT41 (TA415) behavior, but with custom RC4 and DLL loader.
UNK_DropPitch: Investment‑Analyst Bait
In April–May 2025, UNK_DropPitch targeted financial analysts with fake collaboration emails containing DLL‑stealing zip files. This delivered the HealthKick backdoor, communicating over FakeTLS to IP 82.118.16[.]72. In a second wave, it delivered raw TCP reverse shells controlling Intel EMA RMM tools.
UNK_SparkyCarp: AITM Phishing
In March 2025, UNK_SparkyCarp used adversary‑in‑the‑middle kits to phish semiconductor employees, mimicking login portals to capture credentials.
MITRE ATT&CK Mapping & IOCs
| Tactic | Technique | Code |
|------------------|--------------------------------------|--------------|
| Initial Access | Spearphishing Attachment | T1566.001 |
| Execution | DLL Side-loading via LNK/C2 | T1218.019 |
| C2 | Cobalt Strike Beacon, FakeTLS | T1071.001 |
| Exfiltration | Google Sheets API, Reverse Shell | T1041 |
| Persistence | Scheduled Tasks, Registry Run Keys| T1053.005, T1547.001 |
Sample IOCs: C2 IPs 166.88.61.35, 82.118.16.72; domains like api.moctw.info, accshieldportal.com; SHA‑256s of LNK and DLL payloads.
MEA Implications & Global Context
Regional Risks
Taiwan’s chip industry is a key node in global electronic supply chains, including MEA. The same spear-phishing methods can target MEA chipmakers, electronics firms, and their financial partners. MEA regulators-such as UAE’s NESA, Saudi NCA, and Kenya’s DMCA-should reinforce their cybersecurity training for supply‑chain resilience.
International Response
Taiwan’s ongoing cybersecurity reforms-expanding Incident Readiness capabilities and partnering with CISA and Japan’s NISC-mirror MEA’s increasing cooperation with global agencies.
Expert Perspectives
“We’ve seen entities not previously targeted now receiving phishing emails,” said Mark Kelly, Proofpoint threat researcher. “This signals elevated strategic focus.”
(Reuters)
Taiwan-based TeamT5 noted, “Targeting of semiconductors and the supply chain… is a persistent threat.”
Actionable Takeaways
- Strengthen Email Authentication – Enforce DMARC, DKIM, SPF and monitor anomalies.
- Spear‑Phishing Simulations – Regularly test with supply‑chain mailing lists.
- Endpoint Detection – Monitor DLL sideloading, LNK execution, scheduled task creation.
- Network Monitoring – Alert on uncommon C2 channels like Google Sheets API.
- Zero‑Trust Architecture – Micro-segment personnel systems and restrict lateral movement.
- Supply‑Chain Oversight – Assess vendors with geopolitical risk exposure.
- Incident Collaboration – Establish cross-border channels with Taiwanese agencies.
- Threat Intelligence Integration – Ingest IOC feeds from Proofpoint/sec‑vendors.
- Awareness Campaigns – Educate finance and HR staff on advanced phishing.
- Regular Audits – Assess controls under ISO/IEC 27001, NESA, NCA frameworks.
Conclusion
The Proofpoint “Phish and Chips” findings show a qualitative shift in China‑aligned cyber‑espionage: multiple concurrent campaigns, evolving malware, and focus beyond first-tier firms. For CISOs in MEA and beyond, this emphasizes that semiconductor supply‑chain cybersecurity is global not localized. The time for pentesting, supply‑chain vigilance, and cross‑border cybersecurity awareness is now, to stay ahead of geopolitical cyber threats.